After Google hack, Microsoft asks users to abandon IE6, XP

Microsoft is recommending that Windows XP and IE6 users upgrade both their …

Microsoft is using a widely publicized flaw in Internet Explorer as a way to push users to upgrade both their browsers and operating systems.

On its Security Research & Defense blog, Microsoft explains that while IE7 and IE8 on Windows Vista and Windows 7 both include the flawed code that was exploited in the recent Chinese attacks on Google, the publicly published exploit code only works against IE6 on Windows 2000 and Windows XP. So the company is urging users to think about upgrading their version of IE, or even their OS (which also results in a newer version of IE).

"As you can see, the client configuration currently at risk is Windows XP running IE6," the blog post reads. "We recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP. Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows."

Still, this is the first time we've seen Microsoft actually recommend users upgrade because of a specific flaw, and not just away from IE6 but away from Windows XP completely. Microsoft doesn't say that newer versions of Internet Explorer and later Windows releases are invulnerable to the flaw, but it does explain that they have "reduced risk to the exploit" due to platform mitigations such as IE Protected Mode and Data Execution Prevention.

The company first explained these mitigations last week when it admitted that its own investigations into the highly organized hacking attack in late December had concluded that a Remote Code Execution vulnerability in IE was used by the perpetrators. That vulnerability is triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element; attack code may be executed if it is successfully placed in a random location of freed memory. Microsoft has yet to issue a patch.

I just bought an 16-GB SSD Dell Mini (Inspiron 910) with Windows XP installed in early December.

Of course my very first act was to install Safari on it, make it the default browser, and to delete any alias icons to Explorer in the desktop and start menu. I did not research whether Explorer can be utterly annihilated, and it looks as if the Windows Update system relies on the craptastic Explorer.

Unless Microsoft gives me a free copy to another OS, I don't think I'll be getting rid of XP any time soon.

There is not much to actual 'internet explorer'. It's all integrated into the Os and uses functionality that is present in most Windows programs. Similar stuff is used for your 'Explorer' file manager and all sorts stuff like that.

It would be easier to get rid of Windows then it would be to get rid of Internet Explorer in Windows.

------------------

On a different thought..

If you were using a 5 year old version of Linux and wanted security updates that were not forthcoming then I would tell you to upgrade your OS rather then trying to stick with the old OS.

Same thing with OS X.

There is only so long that MS can keep dragging XP along here. If you want a modern and up to date version of XP that is supported; you can have it.. It's called 'Windows 7'.

I have a hard time believing IE Protected Mode really blocks this attack vector. In my experience, IE Protected Mode is not a security boundary--it's just like UAC for integrity levels. It throws up prompts, but if the user clicks "Allow" you're just as infected as if IE Protected Mode weren't there. DEP, on the other hand, actually blocks things in a way that can't be foiled by an uneducated user clicking the wrong button.

So if I understand correctly, IE Protected Mode only mitigates this by throwing up a prompt that many users would click past and infect themselves, right? Anyone have any more details on this?

There is only so long that MS can keep dragging XP along here. If you want a modern and up to date version of XP that is supported; you can have it.. It's called 'Windows 7'.

Not really true...if it were true, then everything that worked in XP , would magically work in 7. I have both...I really, really like Win 7, but I cannot use it for everything just yet.

I was going to put Win7 on my HTPC, but then found at three things (1 software, 2 hardware) that would have issues with Win 7. Meanwhile XP just works...so basically after I spent money on a new OS, I needed to spend even more money to basically get a brand new machine to run it on. I opted for sticking with XP...it wasn't broken, and works fine.

Let's see... Internet Explorer 6 on Windows XP is vulnerable so Microsoft wants us to abandon them. Nevermind that Internet Explorer 7 and 8 both run on XP. Okay. Using that logic we should abandon Vista and Windows 7 since Internet Explorer 7 and 8 are also exploitable.

"Ooh, maybe we can turn this into an advantage and get people to buy new stuff from us".

Originally posted by mikepaul:mikepaul asks Microsoft to make his video capture cards work under Windows 7 so he can upgrade from XP.

Microsoft ignores the idea? Same here...

I suggest you ask your video capture card manufacturer why their crappy product doesn't have drivers that will work with Windows 7.

You may also want to consider actually buying a decent video capture card.

If the card works fine in XP, why does he need to spend more to get it to work on Win 7? At the end of the day, people just need their machines to get stuff done, not to get it done in Win 7.

If MS is serious about getting people to want to upgrade, then they need to ensure that their OS is easy to upgrade to.

It is easy to upgrade to Windows 7 (or at least not more difficult than upgrading most other OSes from one major version to another). Are you proposing that Microsoft should makes sure that EVERY device with a Windows XP drivers is supported in Windows 7? How would they go about doing that?

Nope. Canopus and Dazzle long-since gave up on direct-to-MPEG2 cards, although last I knew Canopus was the one still in business. It's like the work required to redo the drivers in a Vista-compatible way was just too much. I can't recall any similar cards that survived the changeover.

Cards still function perfectly under an operating system that doesn't reject the drivers...

Originally posted by Grashnak:I suggest you ask your video capture card manufacturer why their crappy product doesn't have drivers that will work with Windows 7.

Same goes for a lack of Linux support, right?

Yes, in a way it does. [ignoring community developer drivers-] If potential customers who are willing to give money to a manufacturer keep speaking up, maybe some will listen. (This doesn't happen but, hey, who knows).If they answer "we don't plan on supporting that platform" then take your money elsewhere instead of complaining on the interwebs, simple as that.

Originally posted by AdamM:Its not about him upgrading the OS its the fact that all of a sudden his video capture card drivers are the responsibility of Microsoft.

Well, I've been told before that a driver didn't *have* to use whatever direct-kernel access that these MPEG2 cards' drivers used. It seems like *any* card that used a hardware MPEG2 chip folded when Vista refused to allow the drivers that XP was fine with. If it was easy to change, yes, I expect a vendor like Canopus wouldn't have just abandoned the card.

So in short, there was a change on Microsoft's part that left the cards orphaned, and for that I blame Microsoft. Heap all the scorn you want on companies that didn't read whatever tea leaves they should have and worked with hardware that wasn't up to Microsoft's eventual changes. I don't care. I still say that there's nothing functionally wrong with the equipment I have, and nothing good *and* affordable is around to replace them so I'll stick with XP until all the cards are dead. If I'm lucky, I'll still be able to get a PC with PCI in it until that happens...

Originally posted by kray28:Tell that to my entire company - global professional services/consulting firm with billions in revenue.

Heck tell that to most of our clients (other global multi-billion dollar firms)

They all still use XP, and Office 2003, and most run IE6 as the standard desktop web browser.

You say that like it's supposed to be an example of judicious IT planning or something...

QFT.

Sounds to me more like lazy IT admins than anything. With billions in revenue, swapping out software and hardware to move the company into drastically safer territory should at least have a roll-out schedule.

Originally posted by mikepaul:mikepaul asks Microsoft to make his video capture cards work under Windows 7 so he can upgrade from XP.

Microsoft ignores the idea? Same here...

I suggest you ask your video capture card manufacturer why their crappy product doesn't have drivers that will work with Windows 7.

You may also want to consider actually buying a decent video capture card.

If the card works fine in XP, why does he need to spend more to get it to work on Win 7? At the end of the day, people just need their machines to get stuff done, not to get it done in Win 7.

If MS is serious about getting people to want to upgrade, then they need to ensure that their OS is easy to upgrade to.

Its not about him upgrading the OS its the fact that all of a sudden his video capture card drivers are the responsibility of Microsoft.

How in the world is it the responsibility of microsoft to develop for companies that made software for there os? thats like saying if mozilla goes out of buisness its up to microsoft to push the security updates.

btw have you tried the compatablity mode from windows 7 xp mode. it requires you to install 2 pieces of software so you are basically running a vm of xp on your machine but u dont actually interface with it. i got a plotter that was made in 1995 that only had 2k drivers to work in 7 so it may be possible for your cards to work to

Originally posted by darkpill:Maybe if Microsoft took security more seriously back then this wouldn't be necessary.

What good does this line of thinking do? Microsoft didn't take security seriously back then. Nothing is going to change that. They've changed their ways, and their new stuff is pretty damn secure. Get over it.

Sometimes I think there is just a poor grasp of business reality when it comes to some tech people. The prime issue with an OS changeover (one which will considerably more complicated than going from Win2k to XP) will be financial. Companies don't want to spend the money. Especially when XP is still getting the job done. Individuals within the company don't want to change either...they don't want stuff to stop working when it worked fine on XP before. Companies have tons of money invested in software that is mission critical...they can't afford the risk of it not working...and they certainly aren't willing to spend money to have it all stop working.

My company says that they might finally changeover to Win 7 in 2011...that's a might. In a down economy, I'd say it'll take even longer to justify the expense.

Originally posted by kray28:Companies don't want to spend the money. Especially when XP is still getting the job done.

If it's still 'getting the job done' then that's the end of the discussion. Keep using XP. But if part of 'getting the job done' requires secure external web browsing, your argument is no longer valid.

And no, the rest of the web is not going to subsidize your IT department's lack of planning by supporting IE6 compatibility anymore. I think we've long discussed 'externalized costs' and why they are a selfish corporate mentality.

Not to mention the effect on the end users. You'd think in your firm, the end users would be both a) amenable to change and b) smart enough to figure out a new OS, more so if there was some formal training. However, in the "average" US business, neither of those things is true.

Originally posted by BullBearMS:Internet Explorer 8 running on Windows 7 is just as vulnerable to the actual exploit in question as Internet Explorer 6 running on Windows XP.

Was this article written by Microsoft's marketing department? Why isn't this important point made clear?

The article addressed this; there was a quote from MS stating that it was the combination of IE6 *on XP* that they were recommending against, and other combinations were at "reduced risk." What's the source for your assertion?

Well, I've been told before that a driver didn't *have* to use whatever direct-kernel access that these MPEG2 cards' drivers used. It seems like *any* card that used a hardware MPEG2 chip folded when Vista refused to allow the drivers that XP was fine with.

meanwhile, the Hauppauge and ATi MPEG-2 capture cards I have both worked out of the box with Vista and 7 (i.e. the respective vendors wrote drivers that MS then bundled with the OS.)

quote:

So in short, there was a change on Microsoft's part that left the cards orphaned, and for that I blame Microsoft.

Yeah, evil Microsoft trying to improve and update their OS I don't get it. People whine that MS doesn't innovate, and people whine when they leave stuff behind. Can't have it both ways.

quote:

Heap all the scorn you want on companies that didn't read whatever tea leaves they should have and worked with hardware that wasn't up to Microsoft's eventual changes.

There were no "tea leaves," c'mon. MS was putting up big neon signs and billboards about what they were changing in Vista. Do you remember how long Vista was in development? MS gave plenty of notice and information to hardware vendors about the changes coming. It's absolutely inexcusable to blame Microsoft because your hardware vendor couldn't or refused to keep up. Canopus is the one giving you the middle finger here.

My company says that they might finally changeover to Win 7 in 2011...that's a might. In a down economy, I'd say it'll take even longer to justify the expense.

Which is all well and good, and you're correct, but then organizations that choose not to upgrade, or at least plan migrations, in defense of existing systems and software, need to be prepared for other problems to manifest -- without solutions -- as other technologies move forward.

I may not agree with much of what Microsoft does, but I think throwing down a gauntlet and saying "our efforts are behind Windows 7 and IE 8. You're on your own" is absolutely justified and the only smart decision for them to make.

Originally posted by mikepaul:[QUOTE]Originally posted by AdamM:If it was easy to change, yes, I expect a vendor like Canopus wouldn't have just abandoned the card.

There's one other possibility that you haven't considered - that is was financially feasible to do so.

HP didn't release new drivers for Windows Vista for most of their devices. Now, I know for a fact that the WDDM drivers that shipped with XP work fine in Vista for at least one of their scanners (but you have to manually extract them.) If there was no problems with the driver HP already had, then why not just rerelease the driver with an installer made for Vista?

Answer: it would still cost money. They would either have to hire someone or transfer one of their existing workers, which diverts work away from their current money-makers. Even the trivial amount of work it would require to do so would cost too much money, especially considering they would have to write, test and support the driver for hundreds of devices.

The fact is, you have to make a business case for them to do so. If they are no longer selling the card, what point is there of writing a new driver?

quote:

Nope. Canopus and Dazzle long-since gave up on direct-to-MPEG2 cards...

If Canopus and Dazzle are no longer making these cards, then why on Earth is it Microsoft's fault? By your own admission, these companies are no longer supporting your device.

It is not Microsoft's responsibility to keep everything exactly the same. In fact, the reason breaking changes were made was so improvements could be made to the driver model. This is a good thing.

Originally posted by dlux:And no, the rest of the web is not going to subsidize your IT department's lack of planning by supporting IE6 compatibility anymore. I think we've long discussed 'externalized costs' and why they are a selfish corporate mentality.

I'm sorry, I don't see any reason why a corporation should be anything but selfish. If IE 6 and XP is working for my corporation why should I care if it costs somebody else money to keep supporting it. Not my problem. Try making a case to shareholders why you should spend $x million with great risk of interruption of your business because it will save somebody else money.

Originally posted by Jim Z:meanwhile, the Hauppauge and ATi MPEG-2 capture cards I have both worked out of the box with Vista and 7 (i.e. the respective vendors wrote drivers that MS then bundled with the OS.)

Do they have a chip like Cosmic Cube made, to do direct-to-MPEG2?

quote:

Yeah, evil Microsoft trying to improve and update their OS I don't get it. People whine that MS doesn't innovate, and people whine when they leave stuff behind. Can't have it both ways.

OK, I'll have support for the stuff Microsoft cavalierly left behind. Oh, wait, now you'll pick on that.

quote:

There were no "tea leaves," c'mon. MS was putting up big neon signs and billboards about what they were changing in Vista. Do you remember how long Vista was in development? MS gave plenty of notice and information to hardware vendors about the changes coming. It's absolutely inexcusable to blame Microsoft because your hardware vendor couldn't or refused to keep up. Canopus is the one giving you the middle finger here.

Hey, all I'm saying is that a class of cards with MPEG2 chips disappeared once Vista came along. If not ALL of them disappeared that's great for the folks who lucked out. I'm not going anywhere soon because of what Microsoft did. Feel free to fanboy for Microsoft all you want...